Splunk® Enterprise Security

Release Notes

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Known issues for Splunk Enterprise Security

Splunk Enterprise Security 7.2.0 was released on September 6, 2023. For more information on release dates for the major versions of Splunk Enterprise Security, see Software Support Policy page.

This release includes the following known issues.


Date filed Issue number Description
2024-11-05 SOLNESS-47715 Threat match configuration that uses Endpoint datasets do not show default metakey _time sourcetype source host

Workaround:
It Is not advised to edit the default datamodel (unless you have already done it), for this specific is better to await for changes to be officially onboarded on the future splunk SA_CIM datamodel structure. If you modify the Datamodel, any future changes "Default made" set by splunk official app may not be get applied (local changes of the datamodel will take precedence upon any default changes made by splunk to that datamodel) . Instead if you have already in the past modified this datamodel and it misses these fields please apply these changes
  1. Stop the Datamodel acceleration (if enabled) which has these field missing under the field list: _time=* sourcetype=* host=* source=*
  2. Add these missing fields into each dataset

_time=* sourcetype=* host=* source=* (could be necessary to add index="NAME OF THE INDEXES" unless specified within the linked macro

  1. Edit the dataset extracted fields and checkbox _time=* sourcetype=* host=* source=*
  2. save the changes
  3. enable acceleration if it was enabled
  4. edit affected threat matching datasets by adding these matching fields
2024-05-07 SOLNESS-43726 Investigate performance regression in the main search on the Incident Review page.

Workaround:
For customers in ES 7.2 to ES 7.3.1 who are facing slowness in IR page, the fix that Bhanu introduced in ES 7.3.2 will help improve the IR page load times. ES 7.3.2 GA is scheduled for June 5.

Until ES 7.3.2 is released the workaround for this is to remove the reference to Template:Get drilldown searches macro in the Template:Get correlations macro the customer's Template:.../apps/SA-ThreatIntelligence/default/macros.conf file. However, this will also cause notables to no longer show drilldowns in the IR page.

2024-04-25 SOLNESS-43458, SOLNESS-47295 Notable Event Suppression Descriptions not saving after entering illegal characters in title name
2024-04-22 SOLNESS-43399 Splunk Enterprise Security asset and identity management KV Lookups is broken on Splunk Core version 9.3.0.
2024-02-06 SOLNESS-40942 IR page stuck in Updating after user with ess_analyst role updates notables.
2024-01-12 SOLNESS-40632 Discrepancy in the notable events timeline visualization.

Workaround:
No workaround
2023-12-05 SOLNESS-40127, SOLNESS-40436 Identity Manager with values in the "blacklist" or "blacklist_fields" fields are ignored.

Workaround:
Update the exclusion fields using the UI. Go to *Configure > Data Enrichment > Assets & Identity Management.* Select the relevant asset or identity lookup. Update the Denylist checkbox or update the field exclusion list.
2023-11-30 SOLNESS-40082 Timeline options for the Investigations do not display correctly for Splunk Enterprise Security version 7.0.2 and higher.
2023-11-30 SOLNESS-40087 In Drilldown Searches, "Latest Offset" UI helper text displays "Earliest Time" instead of "Latest Time".
2023-11-09 SOLNESS-39519 Saved filters in the Incident Review page results in a blank page after upgrading to version 7.2.
2023-11-07 SOLNESS-39507 Updating notable event actions results in the following error: "The update failed: 'list' object has no attribute 'startswith'"
2023-11-02 SOLNESS-39506 Asset and identity enrichment for "dest" assets causes alignment issue in the Incident Review page.

Workaround:
dest_asset is not needed in Incident Review. The fields Destination IP, Destination DNS, Destination NT Hostname, Destination MAC Address can be added separately.
2023-11-02 SOLNESS-39469 Cannot customize fields in Risk Analysis DataModel
2023-10-20 SOLNESS-39223 Modular input "confcheck_es_bias_language_cleanup" displays an error after upgrade even when it is disabled.

Workaround:
  1. Modify the following file:
    On the search head cluster:
    /opt/splunk/etc/shcluster/apps/SplunkEnterpriseSecuritySuite/README/input.conf.spec
    On a standalone ES instance this file:
    /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/README/input.conf.spec
  2. Add the following comment at the end of the file.

    Conf File Check for Bias Language

    [confcheck_es_bias_language_cleanup://default]

    debug = <boolean>

      3. (Optional steps if you are on standalone search head)
    1. Push changes to search head cluster by pushing the bundle apps.
    2. Clean the messages from the top of the page so that they do not display again.
    3. In case of a standalone search head, restart the Splunk process.

2023-10-11 SOLNESS-39022 No results returned when searching for a notable using the Short ID.
2023-10-02 SOLNESS-38795 Error using the max_mem_usage_mb macro when upgrading from ES 7.0.2.

Workaround:
Make a clone of the notable macro, but remove the portions having to do with the get_drilldown_searches macro:

{noformat}[get_drilldown_searches] definition = streamstats count as drilldown_event_id | eval updated_drilldown_searches=if((isnull(drilldown_searches) OR match(drilldown_searches, "\[\]")), json_array(json_object("name", drilldown_name, "search", drilldown_search, "earliest_offset", drilldown_earliest_offset, "latest_offset", drilldown_latest_offset)), drilldown_searches) | eval updated_drilldown_searches=json_array_to_mv(updated_drilldown_searches, true()) | mvexpand updated_drilldown_searches | spath input=updated_drilldown_searches path=name output=_temp_dd_name_ | spath input=updated_drilldown_searches path=search output=_temp_dd_search_ | spath input=updated_drilldown_searches path=earliest_offset output=earliest_offset | spath input=updated_drilldown_searches path=latest_offset output=latest_offset | eval drilldown_index_earliest=case(isint(earliest_offset) AND isint(use_index_time),_time-earliest_offset,earliest_offset="$info_min_time$",'info_min_indextime',1=1,null()),drilldown_index_latest=case(isint(latest_offset) AND isint(use_index_time),_time+latest_offset,latest_offset="$info_max_time$",'info_max_indextime',1=1,null()), earliest_offset=case(isint(earliest_offset),_time-earliest_offset,earliest_offset="$info_min_time$",'info_min_time',1=1,null()), latest_offset=case(isint(latest_offset),_time+latest_offset,latest_offset="$info_max_time$",'info_max_time',1=1,null()) | eval updated_drilldown_obj=json_object("name", _temp_dd_name_, "search", _temp_dd_search_, "earliest", earliest_offset, "latest", latest_offset, "index_earliest", drilldown_index_earliest, "index_latest", drilldown_index_latest) | fields - _temp_dd_search_, _temp_dd_name_, earliest_offset, latest_offset, updated_drilldown_searches | eventstats list(updated_drilldown_obj) as updated_drilldown_obj by drilldown_event_id | dedup drilldown_event_id | eval drilldown_searches=if(((isnull(drilldown_searches) AND isnull(drilldown_search)) OR match(drilldown_searches, "\[\]")), null(), updated_drilldown_obj) | fields - drilldown_event_id, updated_drilldown_obj{noformat}

Recommended resolution

[1]

2023-09-25 SOLNESS-38785 Incident Review - Results Per Page Setting Goes Back to Default after Clicking Refresh
2023-09-22 SOLNESS-38777 Error message might be displayed when expanding notables in the Incident Review page.
2023-09-11 SOLNESS-38498 The Risk Score field is not displayed as a link when you expand the rows in Incident Review and go to Additional Fields.
2023-09-07 SOLNESS-38261 Unable to filter for events using "event_id=notable_id" in the Incident Review page and getting redirected to default filters.
2023-08-30 SOLNESS-37237 Cloned dashboards in Splunk Enterprise Security version 7.1.1 returns a 404 error.
2023-08-25 SOLNESS-37062 New drill-down searches in the Correlation Editor can show validation errors if they were saved earlier.
2023-08-08 SOLNESS-36864 Timeline on Incident Review page: Cannot zoom in by double clicking
2023-08-02 SOLNESS-36801 Clicking the Save or Save new filters twice might cause the Incident Review page page to freeze or remain unresponsive.
2023-07-27 SOLNESS-36746, SOLNESS-36748 Notable title with non-existent tokens are normalized with "empty strings" in Incident Review page.
2023-07-27 SOLNESS-36731 Timeline on Incident Review page: Cannot activate or deactivate timeline buttons
2023-07-25 SOLNESS-36660 Timeline on Incident Review page: Cannot zoom in on a selection of < 1 minute
2023-07-20 SOLNESS-36590 The script 'confcheck_es_bias_language_cleanup' is reported as missing in Splunk Enterprise Security 7.2.0.
2023-07-18 SOLNESS-36563 Timeline on Incident Review page: cannot select a bar that was previously deselected

Workaround:
Select, then deselect, a different bar. Then select the bar that you originally wanted to select.
2022-09-14 SOLNESS-32647 Saved searches created in the Content Management page with private settings are not displayed.
Last modified on 11 November, 2024
Fixed issues for Splunk Enterprise Security   How to find answers and get help with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.2.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters